Strengthening Information Security
Late last year, Aspiriant began a new firm-wide information security program that has changed how we interact online with clients when sending and receiving sensitive financial information. The new system reflects a growing trend among businesses in the U.S. to develop more stringent security measures to protect customers’ financial information. It follows on the heels of recent privacy legislation in states such as Massachusetts and Nevada that holds companies to stricter standards of information security than in the past.
Jay Owens, Director of Information Technology, talked with our Chief Operating Officer, Tom Tracy, about how the new process is going.
First, let’s talk basics - how does the new system work?
Our staff is now able to send messages through a secure website that encrypts emails and attachments during transmittal so they can’t be opened by cyber criminals should they fall into such hands. We use this site when delivering anything that contains sensitive data and needs to remain private between the sender and receiver, especially personal financial information. The recipient receives an email in his or her inbox with a hyperlink to the secure message. By clicking on the link, the recipient can log into a secure website to view, download and respond to the message. The password the recipient creates is known only to them.
Did Aspiriant develop this new system from scratch?
No. We worked closely with a leading provider of hosted services in email encryption in the US, the Zix Corporation. Zix provides services to more than 1,100 financial institutions in all 50 states, and among the government agencies using its services are the FDIC, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
What are the benefits to using this new system and a special website?
It provides an additional level of security for the transmission of sensitive financial information and meets privacy and regulatory compliance standards. Increasingly, state and federal legislation is requiring more stringent security to protect consumer privacy. This new program is an efficient and secure way to send private messages while eliminating the cumbersome process of creating, communicating and changing passwords on various attachments.
Does Aspiriant need to use this system for every email we send to clients? Or others with whom we might be sharing sensitive personal information, such as banks or accountants?
No, if we are writing to communicate something that does not contain sensitive information, we can use our regular email channel to send the message.
Can a client or vendor send a secure message to an Aspiriant employee?
Yes. When someone receives a secure email from Aspiriant and logs into the message center, there are “reply” and “reply to all” buttons much like a standard web-based email account. When replying to a secure email message, all contents of the email as well as attachments are secure. So the best way to send Aspiriant secure information is to reply to a message that was received via our secure message center.
Alternatively, once someone has established a password to our secure message center, he or she can log back in at any time to compose a new message to an Aspiriant address. We recommend this procedure to provide security on both inbound and outbound messages with sensitive information.
What has been the response of clients and staff?
We sent out information and instructions to staff and clients prior to putting the new program in place. So far, things have gone reasonably well, but I wouldn’t deny that the system takes some getting used to. Since we launched the system early last November, we’ve received approximately 1 support call for every 100 messages sent. That 1% seems like a minimal number for the volume of messages going through the system.
What are the main issues that have arisen?
Most of the issues have revolved around two issues – message expiration and login concerns. Since the message center was developed as a means of transmitting data rather than storing it permanently, messages expire after 28 days. So if an email has not been read or downloaded in that time period, it is no longer available and the recipient must request that the message be resent by our staff. More frequently, we encounter login problems such as a lost or forgotten password or the difficulty of choosing a password that meets the required complexity standards. Passwords must contain a combination of upper and lower case letters, symbols and numbers to make accounts resistant to attack.
Do you have tips for staff and clients in keeping track of their online passwords?
Yes. Depending on the complexity of your online activity, it could be a good idea to develop a systematic approach to passwords. If you select a new password for every site you visit on the fly, you’ll quickly go insane trying to keep track of them all and will be tempted to forget them or write them down where they can be found. Some people choose to categorize Internet sites (banking vs. blog/newspaper sites vs. email accounts) and stick to three or four passwords that they can easily change on a regular basis. Practicing the art of altering or adding certain characters in a basic password (using $ for S, @ for A, etc.) is a common way to create complex passwords that can be remembered. This also provides flexibility if you feel the need to keep a written list, since you can then list hints about the password rather than the passwords themselves.
Of course, you don’t want your approach to be based on any underlying principles that could be easily deciphered. You wouldn’t want someone to discover one password and thereby have the key to all of them. The secret to passwords is keeping them as complex and random as possible, yet manageable at the same time. It’s a difficult balance!
Remember, you don’t want to display a list of passwords in plain view or make the classic mistake of storing a Post-It note under your keyboard. If you need to document your passwords on paper, keep them in a locked secure location. There are also various software programs that can help you keep track of passwords or create encrypted folders on your computer for this purpose. It can easily become overwhelming, with passwords protecting other passwords, but with a little forethought you’ll be in control of your passwords rather than your passwords controlling you.
Any final thoughts on information security in today’s world?
There’s a lot to say. It’s no surprise that several recent surveys, including one released in March by TechAmerica, have found that information security continues to be the top concern of IT professionals worldwide. As technology plays a profound role in our lives, we’ll have to continue balancing privacy concerns with the convenience and satisfaction of living in an online universe. We’re living in a fascinating period in which there’s a constant mash up of highly fashionable consumer gadgets, an adoration of social networking, a global economy, the threat of cyber terrorism and a real desire for other people to simply mind their own business! Managing information security can feel like battling a modern version of the ancient Hydra. You cut off one intrusion point and before you know it two more have grown back in its place. Hackers will continue developing more sophisticated ways to jeopardize security, and lawmakers and technology innovators will continue fighting back with tools to protect information. Being ready and flexible enough to embrace new situations is fundamentally important. And I often remind myself that as new as everything might feel, we’re actually just experiencing our own particular piece of technological evolution. I imagine similar conversations were taking place during the shift from the telegraph to the telephone. So when we get frustrated with all the trappings of modern technology, we can either feel fearful or instead rejoice that we no longer have to learn Morse code to invite a friend to dinner.
Note: For more information about Aspiriant’s secure messaging initiative, please visit the FAQ section of our website at www.aspiriant.com/secure_email_faqs.html.